July 18, 2008, 10:22 AM — After many years in the IT industry I’ve learned that hackers don't always fit the stereotype. In fact, the most common type of hacker is sitting in the cubicle next to you, right now. According to Carnegie Mellon University’s Software Engineering Institute CERT Program study, up to 90% of incidents in business relating to the loss of assets results from staff that have privileged access to IT systems and applications.
This is someone who gets to work early, takes his or her turn cleaning out the office fridge, tells funny stories at lunch and, at some point, makes a very dumb move. It often starts when this hacker-next-door sees a file directory or workstation that’s just too juicy to pass by, like one named “Salary Comparison.†It’s simply too tempting NOT to peek inside.Â
How do these attackers get access to critical systems? All too easily.
Once that hacker-next-door decides to break into a target system, their next stop is a search engine. A few keywords later, and anyone can discover that the most common -- and effective -- type of hack into a target system is to become what’s called a “script kiddie.†Script kiddies use default lists of privileged passwords, or the superuser/administrative codes built into every piece of hardware and software. Have you ever noticed the “Administrator†ID next to your name when you login to your workstation? That’s a privileged user and password, a backdoor into your system built by the manufacturer. It cannot be disabled or destroyed.
Let’s turn back to our hacker-next-door who wants to get into the “Salary Comparison†workstation. He doesn’t know who owns this workstation, but he can search to find what the default Administrator passwords are for a Dell Latitude D600. If the built-in default doesn’t work, the would-be hacker may try some simple passwords like CompanyName123. You’d be stunned how often these basic password scenarios -- also available as mini computer programs on the Web -- are the fastest way into any organization’s data.
Once the hacker enters a target system with a privileged password, he now has more access to data than the system’s legitimate users. I know of one company, for example, where a disgruntled IT professional changed every password on the network. All software had to be reloaded. The company was basically shut down for days. Meanwhile, the angry ex-employee denied all knowledge of the incident. And who could prosecute him? The deed was done under an anonymous identity, the Administrator.
This lead to another question I am commonly asked: Why do most enterprises leave their privileged passwords, the keys to their kingdom, open and unmanaged? The reason is simple: manually changing these codes is extremely time-consuming. Visit professional hacker sites, and their biggest complaint about script kiddies is not that they exist, but that once these amateurs do something flagrant and dumb with privileged passwords, these wonderful secret passages into a company’s data get closed.
Of course there are automated ways to securely change privileged passwords, but until such solutions become standard tools in most enterprises, I’d keep a close eye on the folks around you. You never know who is privileged to YOUR information!
Calum Macleod is European director of Cyber-Ark.
